prohibit users from creating cards in another user's decks

src/modules/cards/use-cases/delete-card-by-id-use-case.ts

@@ -1,4 +1,4 @@
-import { BadRequestException, NotFoundException } from '@nestjs/common'
+import { ForbiddenException, NotFoundException } from '@nestjs/common'
 import { CommandHandler, ICommandHandler } from '@nestjs/cqrs'
 
 import { CardsRepository } from '../infrastructure/cards.repository'
@@ -16,7 +16,7 @@ export class DeleteCardByIdHandler implements ICommandHandler<DeleteCardByIdComm
 
     if (!card) throw new NotFoundException(`Card with id ${command.id} not found`)
     if (card.userId !== command.userId) {
-      throw new BadRequestException(`You can't delete a card that you don't own`)
+      throw new ForbiddenException(`You can't delete a card that you don't own`)
     }
 
     await this.cardsRepository.deleteCardById(command.id)

src/modules/cards/use-cases/update-card-use-case.ts

@@ -1,4 +1,4 @@
-import { BadRequestException, NotFoundException } from '@nestjs/common'
+import { ForbiddenException, NotFoundException } from '@nestjs/common'
 import { CommandHandler, ICommandHandler } from '@nestjs/cqrs'
 
 import { FileUploadService } from '../../../infrastructure/file-upload-service/file-upload.service'
@@ -29,7 +29,7 @@ export class UpdateCardHandler implements ICommandHandler<UpdateCardCommand> {
     if (!card) throw new NotFoundException(`Card with id ${command.cardId} not found`)
 
     if (card.userId !== command.userId) {
-      throw new BadRequestException(`You can't change a card that you don't own`)
+      throw new ForbiddenException(`You can't change a card that you don't own`)
     }
 
     let questionImg, answerImg

src/modules/decks/use-cases/create-card-use-case.ts

@@ -1,9 +1,11 @@
+import { ForbiddenException } from '@nestjs/common'
 import { CommandHandler, ICommandHandler } from '@nestjs/cqrs'
 
 import { FileUploadService } from '../../../infrastructure/file-upload-service/file-upload.service'
 import { CreateCardDto } from '../../cards/dto'
 import { Card } from '../../cards/entities/cards.entity'
 import { CardsRepository } from '../../cards/infrastructure/cards.repository'
+import { DecksRepository } from '../infrastructure/decks.repository'
 
 export class CreateCardCommand {
   constructor(
@@ -19,12 +21,19 @@ export class CreateCardCommand {
 export class CreateCardHandler implements ICommandHandler<CreateCardCommand> {
   constructor(
     private readonly cardsRepository: CardsRepository,
+    private readonly decksRepository: DecksRepository,
     private readonly fileUploadService: FileUploadService
   ) {}
 
   async execute(command: CreateCardCommand): Promise<Card> {
     let questionImg, answerImg
 
+    const deck = await this.decksRepository.findDeckById(command.deckId)
+
+    if (deck.userId !== command.userId) {
+      throw new ForbiddenException(`You can't create cards in a deck that you don't own`)
+    }
+
     if (command.questionImg && command.answerImg) {
       const addQuestionImagePromise = this.fileUploadService.uploadFile(
         command.questionImg?.buffer,